rpms/selinux-policy/devel policy-20060608.patch, 1.47, 1.48 selinux-policy.spec, 1.243, 1.244

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Thu Aug 3 16:50:30 UTC 2006 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv27604

Modified Files:
	policy-20060608.patch selinux-policy.spec 
Log Message:
* Thu Aug 3 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-20
- More fixes for xen


policy-20060608.patch:
 global_booleans                    |    2 
 global_tunables                    |   89 ++++++++------
 mcs                                |    3 
 mls                                |    9 -
 modules/admin/anaconda.te          |   10 +
 modules/admin/bootloader.te        |    6 -
 modules/admin/consoletype.te       |   11 +
 modules/admin/firstboot.te         |    5 
 modules/admin/netutils.te          |   10 -
 modules/admin/prelink.te           |    1 
 modules/admin/rpm.fc               |    2 
 modules/admin/rpm.if               |    4 
 modules/admin/usermanage.te        |    2 
 modules/kernel/corecommands.fc     |    1 
 modules/kernel/corenetwork.te.in   |    5 
 modules/kernel/devices.fc          |    3 
 modules/kernel/files.fc            |    1 
 modules/kernel/filesystem.if       |   21 +++
 modules/kernel/filesystem.te       |    2 
 modules/kernel/kernel.if           |   75 ++++++++++++
 modules/kernel/selinux.if          |   18 ++-
 modules/kernel/selinux.te          |    4 
 modules/kernel/storage.fc          |    1 
 modules/kernel/terminal.if         |   18 +++
 modules/services/amavis.te         |    7 +
 modules/services/apache.te         |    1 
 modules/services/automount.te      |    8 +
 modules/services/avahi.te          |    2 
 modules/services/bind.fc           |    3 
 modules/services/bluetooth.if      |   23 +++
 modules/services/bluetooth.te      |    7 +
 modules/services/clamav.fc         |    3 
 modules/services/clamav.if         |   22 +++
 modules/services/clamav.te         |   20 ---
 modules/services/cron.if           |   16 ++
 modules/services/cups.te           |    6 -
 modules/services/cyrus.te          |    5 
 modules/services/dovecot.fc        |    1 
 modules/services/dovecot.te        |   10 +
 modules/services/ftp.te            |    2 
 modules/services/hal.te            |   10 +
 modules/services/inetd.te          |   12 +-
 modules/services/ldap.fc           |    1 
 modules/services/ldap.if           |   21 +++
 modules/services/ldap.te           |    2 
 modules/services/lpd.if            |   20 +--
 modules/services/mailman.te        |   15 ++
 modules/services/nis.te            |    1 
 modules/services/nscd.if           |   20 +++
 modules/services/ntp.te            |    2 
 modules/services/openvpn.te        |    8 +
 modules/services/pegasus.if        |   31 +++++
 modules/services/pegasus.te        |    5 
 modules/services/postfix.te        |   13 ++
 modules/services/postgrey.fc       |    2 
 modules/services/postgrey.if       |   19 +++
 modules/services/postgrey.te       |   20 +++
 modules/services/procmail.te       |    5 
 modules/services/radius.fc         |    1 
 modules/services/radius.te         |    8 +
 modules/services/remotelogin.te    |    1 
 modules/services/samba.te          |    6 -
 modules/services/setroubleshoot.fc |   11 +
 modules/services/setroubleshoot.if |   24 ++++
 modules/services/setroubleshoot.te |  146 ++++++++++++++++++++++++
 modules/services/spamassassin.te   |    4 
 modules/services/squid.te          |    9 -
 modules/services/ssh.if            |   24 ++++
 modules/services/tftp.te           |    1 
 modules/services/xfs.te            |    2 
 modules/services/xserver.if        |   22 +++
 modules/services/xserver.te        |    3 
 modules/services/zebra.te          |    7 +
 modules/system/authlogin.if        |    3 
 modules/system/authlogin.te        |    1 
 modules/system/fstools.fc          |    1 
 modules/system/getty.fc            |    1 
 modules/system/getty.te            |    3 
 modules/system/hostname.te         |   10 +
 modules/system/hotplug.te          |    2 
 modules/system/init.if             |    7 -
 modules/system/libraries.fc        |    4 
 modules/system/locallogin.te       |    1 
 modules/system/logging.fc          |    3 
 modules/system/logging.if          |    6 -
 modules/system/logging.te          |    9 +
 modules/system/lvm.te              |    3 
 modules/system/mount.te            |    2 
 modules/system/selinuxutil.te      |   29 ++++
 modules/system/setrans.te          |    5 
 modules/system/sysnetwork.te       |    1 
 modules/system/udev.fc             |    1 
 modules/system/udev.te             |    4 
 modules/system/unconfined.fc       |    1 
 modules/system/unconfined.if       |    8 -
 modules/system/unconfined.te       |   13 +-
 modules/system/userdomain.if       |  221 ++++++++++++++++++++++++-------------
 modules/system/userdomain.te       |   50 +++-----
 modules/system/xen.if              |   38 ++++++
 modules/system/xen.te              |   30 +++--
 100 files changed, 1098 insertions(+), 274 deletions(-)

Index: policy-20060608.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060608.patch,v
retrieving revision 1.47
retrieving revision 1.48
diff -u -r1.47 -r1.48
--- policy-20060608.patch	3 Aug 2006 14:47:22 -0000	1.47
+++ policy-20060608.patch	3 Aug 2006 16:50:26 -0000	1.48
@@ -1977,7 +1977,7 @@
  ') dnl end TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.3.3/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2006-07-14 17:07:14.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/services/ssh.if	2006-08-03 10:32:50.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/ssh.if	2006-08-03 10:49:34.000000000 -0400
 @@ -71,6 +71,7 @@
  	allow $1_ssh_t self:msgq create_msgq_perms;
  	allow $1_ssh_t self:msg { send receive };
@@ -3077,7 +3077,7 @@
  			selinux_set_boolean(sysadm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.3.3/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2006-07-14 17:07:12.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/xen.if	2006-08-03 10:26:57.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/xen.if	2006-08-03 12:41:40.000000000 -0400
 @@ -127,3 +127,41 @@
  	allow xm_t $1:fifo_file rw_file_perms;
  	allow xm_t $1:process sigchld;
@@ -3096,10 +3096,10 @@
 +#
 +interface(`xen_use_fds',`
 +	gen_require(`
-+		type xen_t;
++		type xend_t;
 +	')
 +
-+	allow $1 xen_t:fd use;
++	allow $1 xend_t:fd use;
 +')
 +
 +########################################
@@ -3115,14 +3115,14 @@
 +#
 +interface(`xen_dontaudit_use_fds',`
 +	gen_require(`
-+		type xen_t;
++		type xend_t;
 +	')
 +
-+	dontaudit $1 xen_t:fd use;
++	dontaudit $1 xend_t:fd use;
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.3/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2006-07-14 17:07:12.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/xen.te	2006-08-03 10:26:57.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/xen.te	2006-08-03 12:45:18.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(xen,1.0.7)
@@ -3130,16 +3130,18 @@
  
  ########################################
  #
-@@ -70,6 +70,8 @@
+@@ -69,7 +69,10 @@
+ #
  
  allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
++dontaudit xend_t self:capability { sys_ptrace };
  allow xend_t self:process { signal sigkill };
 +dontaudit xend_t self:process ptrace;
 +
  # internal communication is often done using fifo and unix sockets.
  allow xend_t self:fifo_file rw_file_perms;
  allow xend_t self:unix_stream_socket create_stream_socket_perms;
-@@ -79,7 +81,7 @@
+@@ -79,7 +82,7 @@
  allow xend_t self:packet_socket create_socket_perms;
  
  allow xend_t xen_image_t:dir r_dir_perms;
@@ -3148,7 +3150,7 @@
  
  # pid file
  allow xend_t xend_var_run_t:file manage_file_perms;
-@@ -130,6 +132,8 @@
+@@ -130,6 +133,8 @@
  corenet_tcp_bind_soundd_port(xend_t)
  corenet_sendrecv_xen_server_packets(xend_t)
  corenet_sendrecv_soundd_server_packets(xend_t)
@@ -3157,7 +3159,14 @@
  
  dev_read_urand(xend_t)
  dev_manage_xen(xend_t)
-@@ -144,13 +148,17 @@
+@@ -138,19 +143,24 @@
+ 
+ domain_read_all_domains_state(xend_t)
+ domain_dontaudit_read_all_domains_state(xend_t)
++domain_dontaudit_ptrace_all_domains(xend_t)
+ 
+ files_read_etc_files(xend_t)
+ files_read_kernel_symbol_table(xend_t)
  files_read_kernel_img(xend_t)
  files_manage_etc_runtime_files(xend_t)
  files_etc_filetrans_etc_runtime(xend_t,file)
@@ -3177,7 +3186,7 @@
  
  libs_use_ld_so(xend_t)
  libs_use_shared_libs(xend_t)
-@@ -171,7 +179,7 @@
+@@ -171,7 +181,7 @@
  netutils_domtrans(xend_t)
  
  optional_policy(`
@@ -3186,7 +3195,14 @@
  ')
  
  ########################################
-@@ -196,10 +204,11 @@
+@@ -191,15 +201,18 @@
+ allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
+ 
++domain_dontaudit_ptrace_all_domains(xenconsoled_t)
++
+ kernel_read_kernel_sysctls(xenconsoled_t)
+ kernel_write_xen_state(xenconsoled_t)
  kernel_read_xen_state(xenconsoled_t)
  
  term_create_pty(xenconsoled_t,xen_devpts_t);
@@ -3199,7 +3215,7 @@
  
  libs_use_ld_so(xenconsoled_t)
  libs_use_shared_libs(xenconsoled_t)
-@@ -238,10 +247,11 @@
+@@ -238,10 +251,11 @@
  dev_filetrans_xen(xenstored_t)
  dev_rw_xen(xenstored_t)
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.243
retrieving revision 1.244
diff -u -r1.243 -r1.244
--- selinux-policy.spec	3 Aug 2006 14:47:22 -0000	1.243
+++ selinux-policy.spec	3 Aug 2006 16:50:26 -0000	1.244
@@ -16,7 +16,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.3.3
-Release: 19
+Release: 20
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -348,6 +348,9 @@
 %endif
 
 %changelog
+* Thu Aug 3 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-20
+- More fixes for xen
+
 * Thu Aug 3 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-19
 - Fix anaconda transitions

More information about the fedora-cvs-commits mailing list